Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Query Task

Rawabi1994
New Member
‎09-05-2021 12:56 AM

I want Splunk query related to:
1. Firewalls availability
2. Endpoint protection availability

For my own work, you can help with this

Thank you

Best Regards.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-05-2021 02:32 AM

Hi @Rawabi1994,

the information you share are really few to help you!

Anyway, when you speak of firewall and endpoint availability, do you mean the you're receiving logs from your firewalls and endpoints?

If this is your need, you could create a lookup containing the list of firewall (and another for endpoints) to check, called e.g. FW_perimeter.csv.

Then you have to run a search like this:

 

index=firewalls
| head 10
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup FW_perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

 

in this way, you'll have a list of firewalls of your lookup that didn't send logs in the last period (e.g. 5 minutes).

Put attention to the host field, check if this field contains an hostname or an IP addres in the results and use the same in the lookup.

It's also possible to automatically update the lookup, running a scheduled search (e.g. every night) on the Firewalls that sent logs in the last month, but i don't like this solution because in this way you loose the control of the monitored list.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...